ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

img-upload

v0.1.0

将本地图片上传到 img.scdn.io 免费图床并返回公开链接。适用于用户需要把图片变成可分享 URL、上传生成结果、上传截图、上传本地图片供外链引用,或明确要求免费图床、图床、图片外链、分享链接时。若任务中已经有本地图片文件,且下一步需要分享、引用、粘贴到文档、消息或网页中,应优先考虑此技能。

0· 90·0 current·0 all-time
by@big-dust
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md and the bundled upload.py all consistently implement uploading a local image to img.scdn.io and returning the public URL and delete URL. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Runtime instructions tell the agent to run the included Python script with a local image path; the script reads the specified file and POSTs it to https://img.scdn.io/api/v1.php. This is exactly what the skill claims to do. Note: uploading transmits the image off-host (public by design), so sensitive images would be exposed. The SKILL.md warns that the delete_url is sensitive.
Install Mechanism
There is no install spec (instruction-only with a bundled script), which is low risk. However the script imports the third‑party Python package 'requests' but the skill does not declare that dependency or provide an install step — users must ensure 'requests' is available in the runtime environment.
Credentials
The skill declares no environment variables, no credentials, and does not read other config or environment state. This is proportionate to its purpose.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does not request persistent system privileges or modify other skills' configuration.
Assessment
This skill appears to do what it claims: it uploads a specified local image file to img.scdn.io and returns a public URL and a deletion URL. Before using it, consider: (1) Do not upload sensitive or private images — uploads are public and could be stored by the CDN. (2) Treat the returned delete_url as sensitive control info and store/handle it securely. (3) Ensure the runtime has Python and the 'requests' library installed; the skill does not provide an installer. (4) If you need an auditable or private storage solution, prefer a trusted paid CDN or your own storage rather than a public free image host. (5) As with any remote upload, review img.scdn.io's terms/privacy if you have compliance concerns. If you want extra assurance, run the script with a non-sensitive test image first and inspect the network target and response.

Like a lobster shell, security has layers — review code before you run it.

latestvk975331xdwmpex1n6fjfg7g75s83h55n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis

Comments